The UK has officially entered a new chapter in data regulation with the Data (Use and Access) Act 2025 (“DUAA”), a sweeping reform that aims to modernise how data is accessed, shared and protected across sectors. With Royal Assent granted on 19 June 2025, the DUAA is set to reshape the UK’s digital economy while maintaining strong privacy safeguards.
So, what’s changing and why should businesses care?
The DUAA doesn’t replace the UK GDPR, Data Protection Act 2018 (“DPA”) or Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), but it amends and streamlines them. It’s designed to:
- encourage responsible data sharing;
- support digital identity infrastructure;
- enable smart data schemes;
- simplify compliance for businesses;
- strengthen law enforcement access to data; and
- lay the groundwork for AI regulation.
9 Key Changes:
| Change: | Description: |
| Recognised Legitimate Interests
| Organisations can now rely on a pre-approved list of “legitimate interests”, such as fraud prevention or emergency response, without needing to conduct a legitimate interest assessment that weighs their interests against those of individuals. This change aims to simplify compliance, particularly for routine or low-risk data processing activities.
|
| Purpose Limitation
| The DUAA has relaxed the purpose limitation principle by allowing organisations to reuse personal data for new purposes, as long as those purposes are not incompatible with the original reason the data was collected.
|
| Automated Decision-Making (“ADM”)
| The DUAA eases restrictions on ADM, provided the data involved is not sensitive, appropriate safeguards, such as human oversight, are in place, and individuals are: (i) informed that automation is being used; and (ii) given a clear way to contest decisions.
|
| Data Subject Access Requests (“DSAR”)
| The DUAA introduces a “stop the clock” mechanism, allowing them to pause the one-month response deadline while they await clarification or additional information from the requester, such as identity verification or scope clarification. Once the necessary details are received, the clock resumes. The Act also codifies the requirement for organisations to conduct only “reasonable and proportionate” searches, helping to manage the burden of responding to complex or voluminous requests.
|
| Cookie Rules & PECR Fines | The DUAA relaxes consent requirements for some types of cookies, such as those you may use to collect information for statistical purposes and improve the functionality of your website. Importantly, breaches of the PECR can now incur GDPR-level fines, reaching up to £17.5 million or 4% of global annual turnover, whichever is higher.
|
| International Transfers
| The DUAA introduces a more flexible approach to cross-border data transfers. Under the new rules, such transfers are permitted as long as the destination country’s data protection standards are not “materially lower” than those of the UK. This shift from a stricter equivalence test to a more pragmatic threshold is intended to simplify international data flows for businesses. However, this change has raised concerns that it could jeopardise the UK’s EU adequacy status, which is due for review later this year.
|
| Legal Professional Privilege (“LPP”) | The DUAA introduces a statutory exemption under Section 45A of the DPA, allowing organisations to withhold information subject to LPP from DSARs. Where LPP is claimed, the organisation must inform the requester of the exemption and the reason, unless doing so would itself breach privilege or confidentiality. This change provides clearer legal protection for privileged information, especially in cross-border contexts where privilege standards may vary.
|
| Research | The DUAA formally defines “scientific research” to include both public and commercial research and permits the use of broad consent where specific research purposes are not yet known, provided ethical standards are upheld. The DUAA also reinforces key safeguards such as data minimisation, pseudonymisation and transparency, ensuring that individuals’ rights are protected even when consent is not required, supporting responsible, long-term data use while maintaining privacy and accountability.
|
| Complaints | Organisations have a duty to support individuals who wish to raise concerns about the use of their personal information. This includes providing accessible means for submitting complaints, such as an online complaints form. Complaints must be acknowledged within 30 days and responded to without undue delay. Importantly, individuals must first raise their complaint directly with the organisation before escalating the matter to the Information Commissioner’s Office (“ICO”) if they are not satisfied with the response.
|
Why This Matters for You
- You may need to revise your privacy policies, DSAR procedures and marketing practices to align with the new requirements.
- If your business uses AI or automated tools, now is the time to review and strengthen your governance frameworks.
- The DUAA creates space for innovation but also increases regulatory scrutiny, therefore, businesses will be expected to act transparently and responsibly.
What’s Next?
While some provisions are already in force, most will roll out between late 2025 and mid-2026, depending on Commencement Orders. Businesses should monitor guidance from the ICO and prepare for phased implementation.
Final Thoughts
As the DUAA reshapes the UK’s data protection landscape, businesses must stay proactive in adapting to the new rules and opportunities it presents. If you need guidance on compliance, governance or how to make the most of these changes, our Commercial Team is here to help, please don’t hesitate to get in touch.
